Trojan in school website

Discussion in 'malware problems & news' started by emperordarius, Jun 14, 2008.

Thread Status:
Not open for further replies.
  1. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
  2. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,995
    Avira flags that page as containing a trojan as well. Funny, though, when I search with Firefox and search with Google Avira alerts. When I use IE7 and search with Google Avira does not alert.
     
    Last edited: Jun 14, 2008
  3. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    Last edited: Jun 15, 2008
  4. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,995
    Does anyone know why Avira would alert to that site if it comes up in a google search using Firefox but not IE7?

    Also, I see that the alert from KIS says "trojan.js.redirector" and the web browser is Opera. Is that some sort of XSS? For some reason I thought Opera was somehow immune from XSS, if that what that is.

    Would someone care to explain how this malware most likely works?

    thanks

    PS- emperordarius- thanks for the pic and youtube video.
     
  5. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    There's a file called check.js in a hidden directory in the website.
    It is a javascript file that probably is executed every time you access the website, and that's where the malicious script is. If someone would mind analysing the files source code...

    And Opera isn't completely immune to vulnerabilities...

    About the Firefox thing, maybe Firefox is vulnerable to something in the websit and Internet Explorer not? You'd better report that site to Firefox!
     
    Last edited: Jun 15, 2008
  6. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,995
    I tried to make a post on the mozilla forums but that site is down for some reason. I tried using FF and IE.
     
  7. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,295
    Location:
    Pennsylvania.
    What happens if you go to the site using Noscripto_O
     
  8. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    Why don't you try it?:D
     
  9. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,295
    Location:
    Pennsylvania.
    I'm too scared to get infected. :(
     
  10. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    I uploaded the script to virustotal, the result is:

    ~VirusTotal and\or Jotti link removed per Policy....Bubba~

    So you know if your av can block it...

    *Please don't take this post as a comparison*
     
    Last edited by a moderator: Jun 15, 2008
  11. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,995
    I ran Dr. Web's link scanner and it showed "clean". Also, Finjan shows the site as clean.
     
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    This file (analyzed as trojan.js.redirector.e) is not in the html page code, so it must be loaded from the server. Using IE it caches almost 1 minute after the page itself has loaded.

    See:

    Ravens PHP Scripts And Web Hosting Forum
    http://ravenphpscripts.com/posts14928-start-0.html
    Using Google searches, I could not get any redirects using Opera with scripting on and Popups allowed.

    The code in the check.js file begins:

    Code:
    if ( (Math.random()*60 < JSS1) && document.referrer.match(/^http:\/\/([a-z0-9_\-]+\.)*
    (google|msn|yahoo|live|ask|dogpile|mywebsearch|yandex|rambler|aport|mail|gogo|poisk
    |alltheweb|fireball|freenet|abacho|wanadoo|free|club-internet|aliceadsl|alice|skynet|terra|ya
    |orange|clix|terravista|gratis-ting|suomi24)\./) && document.referrer.match(/[?&]
    .......
    
    Covering many search engines!

    Another victim:

    http://www.speyside-developments.co.uk/anti_hacking.php
    See also the link in the article to an analysis of a typical hack.

    You may remember another type, the Google Sloan Tree Farm Redirect exploit, where clicking on the link from Google appended a malicious URL to the link that was clicked on, effectively taking you to a bad site.

    Other reference:

    http://www.scansafe.com/__data/assets/pdf_file/7584/gtr_APRIL2008.pdf

    ----
    rich
     
  13. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    So the website may have been hacked...
    But I have reported many time that thing, and nothing happened.
    The fact that makes me think that all this is intentional is that the students that had gone to that websites have experienced some "problems".. apparently their MSN Conversations were logged, and saved in the school's computer.:doubt:
     
  14. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,008
    KIS2009 files it as a trojan containing site too...
     
  15. the_sly_dog

    the_sly_dog Registered Member

    Joined:
    Feb 28, 2006
    Posts:
    297
    Location:
    The Heart Of London
    And eset does Aswell trojan redirector.e but i sent the sample to symantec 2 days ago i checked with norton again still not detecting it ??
     
  16. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    They send you an update once day normally, imagine when you send a sample to them...Better wait a week or two. :)
     
  17. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,995
    Link scanner's on site url scanner shows the site as clean. If the site is still infected the following all show clean-

    Link Scanner
    Dr. Web link checker
    finjan

    So much for those.
     
  18. ASpace

    ASpace Guest

    @ acr1965

    The scanners you show may be missing it but my NOD32 didn't detect it , too . The reason - I couldn't access the site :D Perhaps the webmaster noticed something and decided to fix it

    edit : Right now I can't access that site again
     
  19. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,995
    Avira Personal Premium still detects it.
     
  20. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    Maybe NOD32 has automatically blocked the site? Because the website has always worked for me, always infected.
    Probably yes, because I have scanned the infected javascript file with NOD32 and it did detect it as JS/Redirector.E
     
  21. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    Dr.Web also detected the javascript file as Trojan.Redirect.10
     
  22. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,995
    Did you try with Dr. Web's link checker or the av program? The link checker is what I used and the site came back clean.
     
  23. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    The av scanner, not the link checker. BTW I think you can try using it's link scanner (plugin for firefox, opera and IE) and scan the check.js file, it should detect it...
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.